Audit Collection Services (ACS) collect local Security event log records generated by audit policy and store them in a centralized database.
Audit Collection Services (ACS) consolidates individual Security logs into a centrally managed database.
Only a user who has the right to access the ACS database can run queries and create reports on the collected data.
Audit Collection Services (ACS) consists of three components:
Audit Collection Services (ACS) requires mutual authentication between the ACS collector and each ACS forwarder.
All Data between ACS forwarders and the ACS collector are encrypted.
Data is not encrypted between the ACS collector and the ACS database.
You can encrypt all communication between ACS collector and the ACS database using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
ACS Forwarders send all security event log to ACS Collector using inbound TCP port 51909 “open this port in case of you have firewall”.
A local Security log of any server can be accessed by the local administrator, but cannot access ACS database by default.
You can assign a group with permissions to access the audit database to views and queries the ACS database.
Local administrator cannot change Configuration of ACS forwarder, all changes must be come from ACS collector.
ACS forwarder closes the inbound TCP port used by ACS collector after authentication so only outgoing communication is allowed.
ACS collector must terminate and reestablish a communication channel to make any configuration changes to an ACS forwarder.
To Installing and Configuring Audit Collection Services you can download the full docuemnt from the following link
or contact me @ Tarek_877@hotmail.com to get a copy